I initially setup my firewall rule with the intention to have a single "drop" action at the end of the input and forward chain and only "whitelist" the traffic that I want to allow. However, since this is the first time I am doing this, and the wiki page (https://help.mikrotik.com/docs/display/ ... LANdevices) mentions some more drop rules and a fasttrack-connection, I got unsure. Could somebody check if my firewall rules are solid and what kind of optimization would make sense?
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow WireGuard traffic" src-address=192.168.100.0/24
add action=accept chain=input comment="Allow BASE Full Access" in-interface-list=BASE
add action=accept chain=input comment="Allow VLAN DNS Server Access" connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="Allow BASE access to all VLANs" connection-state=new in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="Allow BASE access to all VLANs" connection-state=new in-interface-list=BASE out-interface-list=VLAN-LOCAL
add action=accept chain=forward comment="Allow VLAN Internet Access" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow IOT SMB Access to NAS" connection-state=new dst-address=10.0.10.11 dst-port=445 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow X1 Access to Surveillance Station" connection-state=new dst-address=10.0.10.11 dst-port=9900 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to Surveillance Station" connection-state=new dst-address=10.0.10.11 dst-port=9901 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to File Station" connection-state=new dst-address=10.0.10.11 dst-port=7001 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Mobile Access to Home Assistant" connection-state=new dst-address=10.0.10.11 dst-port=8123 in-interface=iot-vlan out-interface=base-vlan protocol=tcp
add action=accept chain=forward comment="Allow Surceillance NTP Access for timesync" connection-state=new dst-port=123 in-interface=surveillance-vlan out-interface-list=WAN protocol=udp
add action=accept chain=forward connection-state=new dst-port=53 in-interface=surveillance-vlan out-interface-list=WAN protocol=udp
add action=drop chain=forward comment=Drop